Transcription

2 May 2004 TECHNOLOGY ASSESSMENT Highlights of GAO , a report to congressional requesters Cybersecurity for Critical Infrastructure Protection Computers are crucial to the operations of government and business. Computers and networks essentially run the critical infrastructures that are vital to our national defense, economic security, and public health and safety. Unfortunately, many computer systems and networks were not designed with security in mind. As a result, the core of our critical infrastructure is riddled with vulnerabilities that could enable an attacker to disrupt operations or cause damage to these infrastructures. Critical infrastructure protection (CIP) involves activities that enhance the security of our nation s cyber and physical infrastructure. Defending against attacks on our information technology infrastructure cybersecurity is a major concern of both the government and the private sector. Consistent with guidance provided by the Senate s Fiscal Year 2003 Legislative Branch Appropriations Report (S. Rpt ), GAO conducted this technology assessment on the use of cybersecurity technologies for CIP in response to a request from congressional committees. This assessment addresses the following questions: (1) What are the key cybersecurity requirements in each of the CIP sectors? (2) What cybersecurity technologies can be applied to CIP? (3) What are the implementation issues associated with using cybersecurity technologies for CIP, including policy issues such as privacy and information sharing? To view the full product, including the scope and methodology, click on the link above. For more information, contact Keith Rhodes at (202) or Many cybersecurity technologies that can be used to protect critical infrastructures from cyber attack are currently available, while other technologies are still being researched and developed. These technologies, including access control technologies, system integrity technologies, cryptography, audit and monitoring tools, and configuration management and assurance technologies, can help to protect information that is being processed, stored, and transmitted in the networked computer systems that are prevalent in critical infrastructures. Although many cybersecurity technologies are available, experts feel that these technologies are not being purchased or implemented to the fullest extent. An overall cybersecurity framework can assist in the selection of technologies for CIP. Such a framework can include (1) determining the business requirements for security; (2) performing risk assessments; (3) establishing a security policy; (4) implementing a cybersecurity solution that includes people, processes, and technologies to mitigate identified security risks; and (5) continuously monitoring and managing security. Even with such a framework, other demands often compete with cybersecurity. For instance, investing in cybersecurity technologies often needs to make business sense. It is also important to understand the limitations of some cybersecurity technologies. Cybersecurity technologies do not work in isolation; they must work within an overall security process and be used by trained personnel. Despite the availability of current cybersecurity technologies, there is a demonstrated need for new technologies. Long-term efforts are needed, such as the development of standards, research into cybersecurity vulnerabilities and technological solutions, and the transition of research results into commercially available products. There are three broad categories of actions that the federal government can undertake to increase the use of cybersecurity technologies. First, it can take steps to help critical infrastructures determine their cybersecurity needs, such as developing a national CIP plan, assisting with risk assessments, and enhancing cybersecurity awareness. Second, the federal government can take actions to protect its own systems, which could lead others to emulate it or could lead to the development and availability of more cybersecurity technology products. Third, it can undertake long-term activities to increase the quality and availability of cybersecurity technologies in the marketplace. Ultimately, the responsibility for protecting critical infrastructures falls on the critical infrastructure owners. However, the federal government has several options at its disposal to manage and encourage the increased use of cybersecurity technologies, research and develop new cybersecurity technologies, and generally improve the cybersecurity posture of critical infrastructure sectors.

8 VPN WAN virtual private network wide area network This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Page vi

9 United States General Accounting Office Washington, DC May 28, 2004 Congressional Requesters Consistent with guidance provided by the Senate s Fiscal Year 2003 Legislative Branch Appropriations Report (Senate Report ), you asked us to conduct a technology assessment on the use of cybersecurity technologies for critical infrastructure protection. This report discusses several current cybersecurity technologies and possible implementations of these technologies for the protection of critical infrastructure against cyber attacks. Potential actions to increase the availability and use of cybersecurity technologies are discussed. Key considerations for the implementation of these actions by infrastructure owners and the federal government are also discussed. We are sending copies of this report to the Secretary of Homeland Security, the Director of the National Science Foundation, and interested congressional committees. We will provide copies to others on request. In addition, the report is available on GAO s Web site at If you have questions concerning this report, please contact Keith Rhodes at (202) , Joel Willemssen at (202) , or Naba Barkakati, Senior Level Technologist, at (202) We can also be reached by at and respectively. Major contributors to this report are listed in appendix VI. Keith A. Rhodes Chief Technologist Director, Center for Technology and Engineering Joel Willemssen Managing Director Information Technology Page 1

10 List of Congressional Requesters The Honorable Susan M. Collins Chairman The Honorable Joseph I. Lieberman Ranking Minority Member Committee on Governmental Affairs United States Senate The Honorable Ernest F. Hollings Ranking Minority Member Committee on Commerce, Science, and Transportation United States Senate The Honorable Adam H. Putnam Chairman Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census Committee on Government Reform House of Representatives Page 2

11 Technology Overview Technology Assessment Overview Our nation s critical infrastructures include those assets, systems, and functions vital to our national security, economic need, or national public health and safety. Critical infrastructures encompass a number of sectors, including many basic necessities of our daily lives, such as food, water, public health, emergency services, energy, transportation, information technology and telecommunications, banking and finance, and postal services and shipping. All of these critical infrastructures increasingly rely on computers and networks for their operations. Many of the infrastructures networks are also connected to the public Internet. While the Internet has been beneficial to both public and private organizations, the critical infrastructures increasing reliance on networked systems and the Internet has increased the risk of cyber attacks that could harm our nation s infrastructures. Cybersecurity refers to the defense against attacks on our information technology infrastructure. Cybersecurity is a major concern of both the government and the private sector. 1 Technologies such as firewalls and antivirus software can be deployed to help secure critical infrastructures against cyber attacks in the near term, but additional research can lead to more secure systems. While there are many challenges to improving cybersecurity for critical infrastructures, there are potential actions available to infrastructure owners and the federal government. Since 1997, we have designated information security as a government-wide high-risk issue. In January 2003, we expanded this high-risk issue to emphasize the increased importance of protecting the information systems that support critical infrastructures. 2 This technology assessment focuses on the use of cybersecurity technologies for critical infrastructure protection (CIP). Consistent with guidance provided by the Senate s Fiscal Year 2003 Legislative Branch Appropriations Report (Senate Report ), we began this assessment in response to a request from the chairman and ranking minority member 1 It is important to note that physical security and cybersecurity are intertwined and both are necessary to achieve overall security. Physical security typically involves protecting any physical asset from entire buildings to computer hardware from physical attacks, whereas cybersecurity usually focuses on protecting software and data from attacks that are electronic in nature and that typically arrive over a data communication link. 2 U.S. General Accounting Office, High-Risk Series: Protecting Information Systems Supporting the Federal Government and the Nation s Critical Infrastructures, GAO (Washington, D.C.: Jan. 2003). This report highlights our key prior findings and recommendations for federal information security and critical infrastructure protection. Page 3

12 Technology Assessment Overview of the Senate Committee on Governmental Affairs; the ranking minority member of the Senate Committee on Commerce, Science, and Transportation; and the chairman of the Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census, House Committee on Government Reform. The assessment addresses the following questions: 1. What are the key cybersecurity requirements in each of the critical infrastructure protection sectors? 2. What cybersecurity technologies can be applied to critical infrastructure protection? What technologies are currently deployed or currently available but not yet widely deployed for critical infrastructure protection? What technologies are currently being researched for cybersecurity? Are there any gaps in cybersecurity technology that should be better researched and developed to address critical infrastructure protection? 3. What are the implementation issues associated with using cybersecurity technologies for critical infrastructure protection, including policy issues such as privacy and information sharing? To answer these questions, we began by reviewing previous studies on cybersecurity and critical infrastructure protection, including those from the National Research Council, the CERT Coordination Center (CERT/CC), the Institute for Information Infrastructure Protection (I3P), the National Institute of Standards and Technology (NIST), and GAO. We used a data collection instrument to interview representatives of several critical infrastructure sectors, as identified in national strategy documents. We met with officials from the Department of Homeland Security s (DHS) Information Analysis and Infrastructure Protection (IAIP) directorate to discuss their efforts in organizing and coordinating critical infrastructure protection activities. In addition, we met with representatives of the National Science Foundation (NSF), NIST, the National Security Agency (NSA), the Advanced Research and Development Activity, the Infosec Research Council, and DHS s Science and Technology directorate to discuss current and planned federal cybersecurity research efforts. We also met with representatives from two Department of Energy national laboratories, Sandia National Laboratories and Lawrence Livermore National Laboratory, and from Software Engineering Institute's CERT/CC. We interviewed cybersecurity researchers from academic institutions (Carnegie Mellon University, Dartmouth College, and the University of California at Berkeley) and corporate research centers (AT&T Research Page 4

13 Technology Assessment Overview Laboratories, SRI International, and HP Laboratories). Based on our initial analysis, we prepared a draft assessment outlining the cybersecurity challenges in critical infrastructure protection and actions that could be undertaken by key stakeholders. In October 2003, we convened a meeting, with the assistance of the National Academy of Sciences (NAS), to review the preliminary results of our work. Meeting attendees included representatives from academia, critical infrastructure sectors, and public policy organizations. We incorporated the feedback from the meeting attendees into the draft report. We provided our draft assessment report to DHS and NSF for their review. We also had the draft report reviewed by selected attendees of the meeting that NAS convened for this work, as well as by members of other interested organizations. We conducted our work from May 2003 to February 2004 in the Washington, D.C., metropolitan area; the San Francisco, California, metropolitan area; Princeton, New Jersey; and Pittsburgh, Pennsylvania. We performed our work in accordance with generally accepted government auditing standards. Our report describes the cybersecurity requirements of critical infrastructure sectors and their use of information technology. Currently available cybersecurity technologies and standards are organized by control categories. The report then covers cybersecurity implementation issues. We provide some guidance for infrastructure owners on using a risk-based framework to implement current cybersecurity technologies. We also identify specific actions that the federal government could initiate or continue, along with a policy analysis framework that could guide the implementation of these actions. Finally, in appendixes, we provide a summary of federal government's CIP policies and present technical details of current cybersecurity technologies. Background Since the early 1990s, increasing computer interconnectivity most notably growth in the use of the Internet has revolutionized the way that our government, our nation, and much of the world communicate and conduct business. While the benefits have been enormous, this widespread interconnectivity also poses significant risks to the government s and our nation s computer systems and, more important, to the critical operations and infrastructures they support. The speed and accessibility that create the enormous benefits of the computer age, if not properly controlled, allow unauthorized individuals and organizations to inexpensively eavesdrop on or interfere with these operations from remote locations, for mischievous or malicious purposes including fraud or sabotage. Page 5

14 Technology Assessment Overview CIP involves activities that enhance the security of our nation s cyber and physical public and private infrastructures that are critical to national security, national economic security, or national public health and safety. With about 85 percent of the nation s critical infrastructures owned and operated by the private sector, public-private partnership is crucial for successful critical infrastructure protection. Recent terrorist attacks and threats have further underscored the need to manage and encourage CIP activities. Vulnerabilities are being identified on a more frequent basis, which, if exploited by identified threats, could disrupt or disable several of our nation s critical infrastructures. Through a number of strategy and policy documents, including the recent Homeland Security Presidential Directive 7 (HSPD-7), the federal government has identified several critical infrastructure sectors (see table 1) and sector-specific agencies that are to work with the sectors to coordinate CIP activities. The critical infrastructure owners are ultimately responsible for addressing their own cybersecurity needs, but several other stakeholders play critical roles in enhancing cybersecurity for CIP. These include organizations representing sectors, such as sector coordinators and information sharing and analysis centers (ISAC), the federal government, and information technology (IT) vendors. Sector coordinators are individuals or organizations that help and encourage the entities within their sector to improve cybersecurity. Page 6

15 Technology Assessment Overview Table 1: Critical Infrastructure Sectors Defined in Federal CIP Policy Sector Agriculture Banking and finance Chemicals and hazardous materials Defense industrial base Emergency services Energy Food Government Information technology and telecommunications Postal and shipping Public health and healthcare Transportation Drinking water and water treatment systems Description Includes supply chains for feed and crop production. Consists of commercial banks, insurance companies, mutual funds, governmentsponsored enterprises, pension funds, and other financial institutions that carry out transactions, including clearing and settlement. Produces more than 70,000 products essential to automobiles, pharmaceuticals, food supply, electronics, water treatment, health, construction, and other necessities. Supplies the military with the means to protect the nation by producing weapons, aircraft, and ships and providing essential services, including information technology and supply and maintenance. Includes fire, rescue, emergency medical services, and law enforcement organizations. Includes electric power and the refining, storage, and distribution of oil and natural gas. Covers the infrastructures involved in post-harvest handling of the food supply, including processing and retail sales. Ensures national security and freedom and administers key public functions. Provides information processing systems, processes, and communications systems to meet the needs of businesses and government. Includes the U.S. Postal Service and other carriers that deliver private and commercial letters, packages, and bulk assets. Consists of health departments, clinics, and hospitals. Includes aviation, ships, rail, pipelines, highways, trucks, buses, and mass transit that are vital to our economy, mobility, and security. Includes about 170,000 public water systems that rely on reservoirs, dams, wells, treatment facilities, pumping stations, and transmission lines. Source: GAO analysis based on the President s national strategy documents and HSPD-7. Results in Brief All critical infrastructure owners rely on computers in a networked environment. Although all infrastructure sectors make use of similar computer and networking technologies, specific cybersecurity requirements in each sector depend on many factors, such as the sector s risk assessments, priorities, applicable government regulations, market forces, culture, and the state of its IT infrastructure. These factors, in combination with financial and other factors like costs and benefits, can affect an infrastructure entity s use of IT as well as its deployment of cybersecurity technologies. Cybersecurity Technologies There are a number of cybersecurity technologies that can be used to better protect critical infrastructures from cyber attacks, including access control technologies, system integrity technologies, cryptography, audit Page 7

16 Technology Assessment Overview and monitoring tools, and configuration management and assurance technologies. In each of these categories, many technologies are currently available, while other technologies are still being researched and developed. Table 2 summarizes some of the common cybersecurity technologies, categorized by the type of security control they help to implement. Table 2: Common Cybersecurity Technologies Category Technology What it does Access control Boundary Firewalls Controls access to and from a network or computer. protection Content management Monitors Web and messaging applications for inappropriate content, including spam, banned file types, and proprietary information. Authentication Biometrics Uses human characteristics, such as fingerprints, irises, and voices to establish the identity of the user. Smart tokens Establish identity of users through an integrated circuit chip in a portable device such as a smart card or time synchronized token. Authorization User rights and privileges Allow or prevent access to data and systems and actions of users based on the established policies of an organization. System integrity Antivirus software Provides protection against malicious code, such as viruses, worms, and Trojan horses. Integrity checkers Monitor alterations to files on a system that are considered critical to the organization. Cryptography Digital signatures and certificates Virtual private networks Audit and monitoring Intrusion detection systems Intrusion prevention systems Security event correlation tools Computer forensics tools Uses public key cryptography to provide (1) assurance that both the sender and the recipient of a message or transaction will be uniquely identified, (2) assurance that the data have not been accidentally or deliberately altered, and (3) verifiable proof of the integrity and origin of the data. Allow organizations or individuals in two or more physical locations to establish network connections over a shared or public network, such as the Internet, with functionality that is similar to that of a private network using cryptography. Detect inappropriate, incorrect, or anomalous activity on a network or computer system. Build on intrusion detection systems to detect attacks on a network and take action to prevent them from being successful. Monitor and document actions on network devices and analyze the actions to determine if an attack is ongoing or has occurred. Enable an organization to determine if ongoing system activities are operating according to its security policy. Identify, preserve, extract, and document computer-based evidence. Page 8

17 Technology Assessment Overview Category Technology What it does Configuration management and assurance Policy enforcement Applications Network management Continuity of operations tools Scanners Patch management Enable system administrators to engage in centralized monitoring and enforcement of an organization s security policies. Allow for the control and monitoring of networks, including management of faults, configurations, performance, and security. Provide a complete backup infrastructure to maintain availability in the event of an emergency or during planned maintenance. Analyze computers or networks for security vulnerabilities. Acquires, tests, and applies multiple patches to one or more computer systems. Source: GAO analysis. Critical infrastructure sectors use all of these types of cybersecurity technologies to protect their systems. However, the level of use of technologies varies across sectors and across entities within sectors. Cybersecurity Research Despite the availability of current cybersecurity technologies, there is a demonstrated need for new technologies. Long-term efforts are needed, such as the development of standards, research into cybersecurity vulnerabilities and technological solutions for these problems, and the transition of research results into commercially available products. While several standards exist for cybersecurity technology in the areas of protocol security, product-level security, and operational guidelines, there is still a need to develop standards that could help guide the use of cybersecurity technologies and processes. There are several research areas being pursued by the federal government, academia, and the private sector to develop new or better cybersecurity technologies. We have identified some of the important cybersecurity research needs shown in table 3. Page 9

18 Technology Assessment Overview Table 3: Cybersecurity Research That Needs Continuing Attention Research area Composing secure systems from insecure components Security for network embedded systems Security metrics and evaluation Socioeconomic impact of security Vulnerability identification and analysis Wireless security Description Building complex heterogeneous systems that maintain security while recovering from failures Detect, understand, and respond to anomalies in large, distributed control networks that are prevalent in electricity, oil and natural gas, and water sectors. Metrics that express the costs, benefits, and impacts of security controls from multiple perspectives economic, organizational, technical, and risk Legal, policy, and economic implications of cybersecurity technologies and their possible uses, structure and dynamics of the cybersecurity marketplace, role of standards and best practices, implications of policies intended to direct responses to cyber attacks. Techniques and tools to analyze code, devices, and systems in dynamic and large-scale environments Device- and protocol-level wireless security, monitoring wireless networks, and responding to distributed denial-of-service attacks in wireless networks Source: GAO analysis. In addition to the need for cybersecurity research that addresses existing cybersecurity threats, there is a need for long-term research that anticipates the dramatic growth in the use of computing and networks in the coming years. Some of the possible long-term research areas include tools for ensuring privacy, embedding fault-tolerance in systems, selfmanaging and self-healing systems, and re-architecting the Internet. Prior information technology developments have shown that more than 10 years are often required to develop basic research concepts into commercially available products. Cybersecurity Framework The use of an overall cybersecurity framework can assist in the selection of technologies to protect critical infrastructure against cyber attacks. Page 10

19 Technology Assessment Overview An overall cybersecurity framework includes: (1) determining the business requirements for security; (2) performing risk assessments; (3) establishing a security policy; (4) implementing a cybersecurity solution that includes people, process, and technology to mitigate identified security risks; and (5) continuously monitoring and managing security. Risk assessments, which are central to this framework, help organizations to determine which assets are most at risk and to identify countermeasures to mitigate those risks. Risk assessment is based on a consideration of threats and vulnerabilities that could be exploited to inflict damage. Even with such a framework, there often are competing demands for cybersecurity investments. For example, for some companies or infrastructures, mitigating physical risks may be more important than mitigating cyber risks. Further, investing in cybersecurity technologies needs to make business sense. For some critical infrastructure owners, national security and law enforcement needs do not always outweigh the business needs of the entity. Without legal requirements for cybersecurity, security officers often need to justify cybersecurity investments using either strategic or financial measures. Further, critical infrastructures and their component entities are often dependent on systems and business functions that are beyond their control, such as other critical infrastructures and federal and third-party systems. Several of the currently available cybersecurity technologies could, if used properly, improve the cybersecurity posture of critical infrastructures. It is important to bear in mind the limitations of some cybersecurity technologies and to be aware that their capabilities should not be overstated. Technologies do not work in isolation. Cybersecurity solutions make use of people, process, and technology. Cybersecurity technology must work within an overall security process and be used by trained personnel. In our prior reviews of federal computer systems, we found numerous instances of cybersecurity technology being poorly implemented, which reduced the effectiveness of the technology to protect Page 11

20 Technology Assessment Overview systems from attack. Best practices and guidelines are available from organizations such as NIST to assist infrastructure owners in selecting and implementing cybersecurity technologies. To increase the use of currently available cybersecurity technologies, various efforts can be undertaken. These efforts could include improving the cybersecurity awareness of computer users and administrators, considering security when developing systems, and enhancing information sharing mechanisms between the federal government and critical infrastructure sectors, state and local government, and the public. Federal Government Actions to Improve Cybersecurity of Critical Infrastructures Because about 85 percent of the nation s critical infrastructure is owned by the private sector, the federal government cannot by itself protect the critical infrastructures. There are three broad categories of actions that the federal government can undertake to increase the usage of cybersecurity technologies. First, the federal government can take steps to help critical infrastructures determine their cybersecurity needs, and hence their needs for cybersecurity technology. These actions include developing a national CIP plan, assisting infrastructure sectors with risk assessments, providing threat and vulnerability information to sector entities, enhancing information sharing by critical infrastructures, and promoting cybersecurity awareness. These activities can help infrastructure entities determine their needs for cybersecurity technology. This information can help the federal government to prioritize its actions and to assess the need to take further action to encourage the use of cybersecurity technology by critical infrastructure entities. Because the security needs of critical infrastructure could differ from the commercial enterprise needs of infrastructure entities, the federal government could assess the needs for grants, tax incentives, regulations, or other public policy tools to encourage nonfederal entities to acquire and implement appropriate cybersecurity technologies. Second, the federal government can take actions to protect its own systems, including parts of the critical infrastructure. These actions could lead others to emulate the federal government or could lead to the development and availability of more cybersecurity technology products. Third, the federal government can take long-term actions to increase the quality and availability of cybersecurity technologies available in the marketplace. Table 4 highlights many of the federal policy options and some examples of the current or planned activities undertaken by the federal government that implement these options. Page 12

GAO For Release on Delivery Expected at 10:00 a.m. EDT Tuesday, March 27, 2012 United States Government Accountability Office Testimony Before the Subcommittee on Oversight and Investigations, Committee

GAO United States General Accounting Office Testimony Before the Subcommittee on Technology, Terrorism and Government Information, Committee on the Judiciary, U.S. Senate For Release on Delivery Expected

Actions and Recommendations (A/R) Summary Priority I: A National Cyberspace Security Response System A/R 1-1: DHS will create a single point-ofcontact for the federal government s interaction with industry

United States Government Accountability Office Report to Congressional Requesters June 2014 INFORMATION SECURITY Additional Oversight Needed to Improve Programs at Small Agencies GAO-14-344 June 2014 INFORMATION

GAO United States Government Accountability Office Report to the Honorable F. James Sensenbrenner Jr., House of Representatives April 2007 INFORMATION SECURITY FBI Needs to Address Weaknesses in Critical

Middle Class Economics: Cybersecurity Updated August 7, 2015 The President's 2016 Budget is designed to bring middle class economics into the 21st Century. This Budget shows what we can do if we invest

Program Program Overview Cyber/physical security and data privacy have become critical priorities for electric utilities. The evolving electric sector is increasingly dependent on information technology

GAO United States Government Accountability Office Report to Congressional Requesters March 2010 CYBERSECURITY Progress Made but Challenges Remain in Defining and Coordinating the Comprehensive National

JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015 The following consists of the joint explanatory statement to accompany the Cybersecurity Act of 2015. This joint explanatory statement

Community Bank Auditors Group Cybersecurity What you need to do now June 9, 2015 By: Gerald Gagne MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company, P.C. Cybersecurity

INEEL/EXT-04-02462 Revision 0 Control Systems Security and Test Center A Comparison of Oil and Gas Segment Cyber Security Standards Prepared by the Idaho National Engineering and Environmental Laboratory

United States Government Accountability Office Washington, DC 20548 September 16, 2008 The Honorable James R. Langevin Chairman Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology

Priority III: A National Cyberspace Security Awareness and Training Program Everyone who relies on part of cyberspace is encouraged to help secure the part of cyberspace that they can influence or control.

INL/CON-07-13483 PREPRINT Help for the Developers of Control System Cyber Security Standards 54 th International Instrumentation Symposium Robert P. Evans May 2008 This is a preprint of a paper intended

Best Practices in ICS Security for System Operators A Wurldtech White Paper No part of this document may be distributed, reproduced or posted without the express written permission of Wurldtech Security

MASTER OF SCIENCE IN INFORMATION ASSURANCE PROGRAM DEPARTMENT OF COMPUTER SCIENCE HAMPTON UNIVERSITY HTTP://SCIENCE.HAMPTONU.EDU/COMPSCI/ The Master of Science in Information Assurance focuses on providing

GAO For Release on Delivery Expected at 10:00 a.m. EDT Thursday, October 6, 2011 United States Government Accountability Office Testimony Before the Subcommittee on Cybersecurity, Infrastructure Protection,

Cyber Security Automation of energy systems provides attack surfaces that previously did not exist Cyber attacks have matured from teenage hackers to organized crime to nation states Centralized control

GAO For Release on Delivery Expected at 3 p.m. EDT Wednesday, September 13, 2006 United States Government Accountability Office Testimony Before the House Committee on Homeland Security, Subcommittee on

Evaluation Report OIG-08-035 INFORMATION TECHNOLOGY: Network Security at the Office of the Comptroller of the Currency Needs Improvement June 03, 2008 Office of Inspector General Department of the Treasury

SECURING YOUR SMALL BUSINESS Principles of information security and risk management The challenge Information is one of the most valuable assets of any organization public or private, large or small and

TESTIMONY OF DANIEL DUFF VICE PRESIDENT - GOVERNMENT AFFAIRS AMERICAN PUBLIC TRANSPORTATION ASSOCIATION BEFORE THE HOUSE COMMITTEE ON GOVERNMENT REFORM ON THE 9/11 COMMISSION RECOMMENDATIONS ******* August

Network Security Administrator Course ID ECC600 Course Description This course looks at the network security in defensive view. The ENSA program is designed to provide fundamental skills needed to analyze

U.S. Cyber Security Readiness Anthony V. Teelucksingh Senior Counsel United States Department of Justice John Chris Dowd Special Agent Federal Bureau of Investigation Overview U.S. National Plan National

The Comprehensive National Cybersecurity Initiative President Obama has identified cybersecurity as one of the most serious economic and national security challenges we face as a nation, but one that we

Best Practices For Department Server and Enterprise System Checklist INSTRUCTIONS Information Best Practices are guidelines used to ensure an adequate level of protection for Information Technology (IT)

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL FINAL REPORT: U.S. Election Assistance Commission Compliance with the Requirements of the Federal Information Security Management Act Fiscal

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections AUDIT REPORT Cybersecurity Controls Over a Major National Nuclear Security Administration Information System DOE/IG-0938

Content Teaching Academy at James Madison University 1 2 The Battle Field: Computers, LANs & Internetworks 3 Definitions Computer Security - generic name for the collection of tools designed to protect

FISMA Compliance: Making the Grade A Qualys Guide to Measuring Risk, Enforcing Policies, and Complying with Regulations EXECUTIVE SUMMARY For federal managers of information technology, FISMA is one of

THE WHITE HOUSE Office of the Press Secretary For Immediate Release February 12, 2013 February 12, 2013 PRESIDENTIAL POLICY DIRECTIVE/PPD-21 SUBJECT: Critical Infrastructure Security and Resilience The

Splunk Enterprise Log Management Role Supporting the ISO 27002 Framework EXECUTIVE BRIEF Businesses around the world have adopted the information security standard ISO 27002 as part of their overall risk

OFFICE OF THE INSPECTOR GENERAL SOCIAL SECURITY ADMINISTRATION CONTRACTOR SECURITY OF THE SOCIAL SECURITY ADMINISTRATION S HOMELAND SECURITY PRESIDENTIAL DIRECTIVE 12 CREDENTIALS June 2012 A-14-11-11106

MIS5206 Week 12 Your Name Date 1. Which significant risk is introduced by running the file transfer protocol (FTP) service on a server in a demilitarized zone (DMZ)? a) User from within could send a file

CESG Certification of Cyber Security Training Courses Supporting Assessment Criteria for the CESG Certified Training (CCT) Scheme Portions of this work are copyright The Institute of Information Security

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections Evaluation Report The Department's Unclassified Cyber Security Program - 2012 DOE/IG-0877 November 2012 MEMORANDUM FOR